upgrade.php @ 3850:d4841d6d65d6

Visit:

Revision 3850:d4841d6d65d6, 36.3 KB checked in by franck <carnet.franck.paul@…>, 7 years ago (diff)
Security: Authenticated cross-site scripting (XSS) was possible due to the .ahtml (or .bhtml, .chtml, …) file extension being allowed in the media manager. Thank's Josiah Pierce for reporting this

Line
1	<?php
2	/**
3	* @brief Dotclear upgrade procedure
4	*
5	* @package Dotclear
6	* @subpackage Core
7	*
8	* @copyright Olivier Meunier & Association Dotclear
9	* @copyright GPL-2.0-only
10	*/
11
12	if (!defined('DC_RC_PATH')) {return;}
13
14	class dcUpgrade
15	{
16	public static function dotclearUpgrade($core)
17	{
18	$version = $core->getVersion('core');
19
20	if ($version === null) {
21	return false;
22	}
23
24	if (version_compare($version, DC_VERSION, '<') == 1 \|\| strpos(DC_VERSION, 'dev')) {
25	try
26	{
27	if ($core->con->driver() == 'sqlite') {
28	return false; // Need to find a way to upgrade sqlite database
29	}
30
31	# Database upgrade
32	$_s = new dbStruct($core->con, $core->prefix);
33	require dirname(__FILE__) . '/db-schema.php';
34
35	$si = new dbStruct($core->con, $core->prefix);
36	$changes = $si->synchronize($_s);
37
38	/* Some other upgrades
39	------------------------------------ */
40	$cleanup_sessions = self::growUp($core, $version);
41
42	# Drop content from session table if changes or if needed
43	if ($changes != 0 \|\| $cleanup_sessions) {
44	$core->con->execute('DELETE FROM ' . $core->prefix . 'session ');
45	}
46
47	# Empty templates cache directory
48	try {
49	$core->emptyTemplatesCache();
50	} catch (Exception $e) {}
51
52	return $changes;
53	} catch (Exception $e) {
54	throw new Exception(__('Something went wrong with auto upgrade:') .
55	' ' . $e->getMessage());
56	}
57	}
58
59	# No upgrade?
60	return false;
61	}
62
63	public static function growUp($core, $version)
64	{
65	if ($version === null) {
66	return false;
67	}
68
69	$cleanup_sessions = false; // update it in a step that needed sessions to be removed
70
71	# Populate media_dir field (since 2.0-beta3.3)
72	if (version_compare($version, '2.0-beta3.3', '<')) {
73	$strReq = 'SELECT media_id, media_file FROM ' . $core->prefix . 'media ';
74	$rs_m = $core->con->select($strReq);
75	while ($rs_m->fetch()) {
76	$cur = $core->con->openCursor($core->prefix . 'media');
77	$cur->media_dir = dirname($rs_m->media_file);
78	$cur->update('WHERE media_id = ' . (integer) $rs_m->media_id);
79	}
80	}
81
82	if (version_compare($version, '2.0-beta7.3', '<')) {
83	# Blowup becomes default theme
84	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
85	"SET setting_value = '%s' " .
86	"WHERE setting_id = 'theme' " .
87	"AND setting_value = '%s' " .
88	'AND blog_id IS NOT NULL ';
89	$core->con->execute(sprintf($strReq, 'blueSilence', 'default'));
90	$core->con->execute(sprintf($strReq, 'default', 'blowup'));
91	}
92
93	if (version_compare($version, '2.1-alpha2-r2383', '<')) {
94	$schema = dbSchema::init($core->con);
95	$schema->dropUnique($core->prefix . 'category', $core->prefix . 'uk_cat_title');
96
97	# Reindex categories
98	$rs = $core->con->select(
99	'SELECT cat_id, cat_title, blog_id ' .
100	'FROM ' . $core->prefix . 'category ' .
101	'ORDER BY blog_id ASC , cat_position ASC '
102	);
103	$cat_blog = $rs->blog_id;
104	$i = 2;
105	while ($rs->fetch()) {
106	if ($cat_blog != $rs->blog_id) {
107	$i = 2;
108	}
109	$core->con->execute(
110	'UPDATE ' . $core->prefix . 'category SET '
111	. 'cat_lft = ' . ($i++) . ', cat_rgt = ' . ($i++) . ' ' .
112	'WHERE cat_id = ' . (integer) $rs->cat_id
113	);
114	$cat_blog = $rs->blog_id;
115	}
116	}
117
118	if (version_compare($version, '2.1.6', '<=')) {
119	# ie7js has been upgraded
120	$ie7files = array(
121	'ie7-base64.php ',
122	'ie7-content.htc',
123	'ie7-core.js',
124	'ie7-css2-selectors.js',
125	'ie7-css3-selectors.js',
126	'ie7-css-strict.js',
127	'ie7-dhtml.js',
128	'ie7-dynamic-attributes.js',
129	'ie7-fixed.js',
130	'ie7-graphics.js',
131	'ie7-html4.js',
132	'ie7-ie5.js',
133	'ie7-layout.js',
134	'ie7-load.htc',
135	'ie7-object.htc',
136	'ie7-overflow.js',
137	'ie7-quirks.js',
138	'ie7-server.css',
139	'ie7-standard-p.js',
140	'ie7-xml-extras.js'
141	);
142	foreach ($ie7files as $f) {
143	@unlink(DC_ROOT . '/admin/js/ie7/' . $f);
144	}
145	}
146
147	if (version_compare($version, '2.2-alpha1-r3043', '<')) {
148	# metadata has been integrated to the core.
149	$core->plugins->loadModules(DC_PLUGINS_ROOT);
150	if ($core->plugins->moduleExists('metadata')) {
151	$core->plugins->deleteModule('metadata');
152	}
153
154	# Tags template class has been renamed
155	$sqlstr =
156	'SELECT blog_id, setting_id, setting_value ' .
157	'FROM ' . $core->prefix . 'setting ' .
158	'WHERE (setting_id = \'widgets_nav\' OR setting_id = \'widgets_extra\') ' .
159	'AND setting_ns = \'widgets\';';
160	$rs = $core->con->select($sqlstr);
161	while ($rs->fetch()) {
162	$widgetsettings = base64_decode($rs->setting_value);
163	$widgetsettings = str_replace('s:11:"tplMetadata"', 's:7:"tplTags"', $widgetsettings);
164	$cur = $core->con->openCursor($core->prefix . 'setting');
165	$cur->setting_value = base64_encode($widgetsettings);
166	$sqlstr = 'WHERE setting_id = \'' . $rs->setting_id . '\' AND setting_ns = \'widgets\' ' .
167	'AND blog_id ' .
168	($rs->blog_id == null ? 'is NULL' : '= \'' . $core->con->escape($rs->blog_id) . '\'');
169	$cur->update($sqlstr);
170	}
171	}
172
173	if (version_compare($version, '2.3', '<')) {
174	# Add global favorites
175	$init_fav = array();
176
177	$init_fav['new_post'] = array('new_post', 'New entry', 'post.php',
178	'images/menu/edit.png', 'images/menu/edit-b.png',
179	'usage,contentadmin', null, null);
180	$init_fav['newpage'] = array('newpage', 'New page', 'plugin.php?p=pages&act=page',
181	'index.php?pf=pages/icon-np.png', 'index.php?pf=pages/icon-np-big.png',
182	'contentadmin,pages', null, null);
183	$init_fav['media'] = array('media', 'Media manager', 'media.php',
184	'images/menu/media.png', 'images/menu/media-b.png',
185	'media,media_admin', null, null);
186	$init_fav['widgets'] = array('widgets', 'Presentation widgets', 'plugin.php?p=widgets',
187	'index.php?pf=widgets/icon.png', 'index.php?pf=widgets/icon-big.png',
188	'admin', null, null);
189	$init_fav['blog_theme'] = array('blog_theme', 'Blog appearance', 'blog_theme.php',
190	'images/menu/themes.png', 'images/menu/blog-theme-b.png',
191	'admin', null, null);
192
193	$count = 0;
194	foreach ($init_fav as $k => $f) {
195	$t = array('name' => $f[0], 'title' => $f[1], 'url' => $f[2], 'small-icon' => $f[3],
196	'large-icon' => $f[4], 'permissions' => $f[5], 'id' => $f[6], 'class' => $f[7]);
197	$sqlstr = 'INSERT INTO ' . $core->prefix . 'pref (pref_id, user_id, pref_ws, pref_value, pref_type, pref_label) VALUES (' .
198	'\'' . sprintf("g%03s", $count) . '\',NULL,\'favorites\',\'' . serialize($t) . '\',\'string\',NULL);';
199	$core->con->execute($sqlstr);
200	$count++;
201	}
202
203	# A bit of housecleaning for no longer needed files
204	$remfiles = array(
205	'admin/style/cat-bg.png',
206	'admin/style/footer-bg.png',
207	'admin/style/head-logo.png',
208	'admin/style/tab-bg.png',
209	'admin/style/tab-c-l.png',
210	'admin/style/tab-c-r.png',
211	'admin/style/tab-l-l.png',
212	'admin/style/tab-l-r.png',
213	'admin/style/tab-n-l.png',
214	'admin/style/tab-n-r.png',
215	'inc/clearbricks/_common.php',
216	'inc/clearbricks/common/lib.crypt.php',
217	'inc/clearbricks/common/lib.date.php',
218	'inc/clearbricks/common/lib.files.php',
219	'inc/clearbricks/common/lib.form.php',
220	'inc/clearbricks/common/lib.html.php',
221	'inc/clearbricks/common/lib.http.php',
222	'inc/clearbricks/common/lib.l10n.php',
223	'inc/clearbricks/common/lib.text.php',
224	'inc/clearbricks/common/tz.dat',
225	'inc/clearbricks/common/_main.php',
226	'inc/clearbricks/dblayer/class.cursor.php',
227	'inc/clearbricks/dblayer/class.mysql.php',
228	'inc/clearbricks/dblayer/class.pgsql.php',
229	'inc/clearbricks/dblayer/class.sqlite.php',
230	'inc/clearbricks/dblayer/dblayer.php',
231	'inc/clearbricks/dbschema/class.dbschema.php',
232	'inc/clearbricks/dbschema/class.dbstruct.php',
233	'inc/clearbricks/dbschema/class.mysql.dbschema.php',
234	'inc/clearbricks/dbschema/class.pgsql.dbschema.php',
235	'inc/clearbricks/dbschema/class.sqlite.dbschema.php',
236	'inc/clearbricks/diff/lib.diff.php',
237	'inc/clearbricks/diff/lib.unified.diff.php',
238	'inc/clearbricks/filemanager/class.filemanager.php',
239	'inc/clearbricks/html.filter/class.html.filter.php',
240	'inc/clearbricks/html.validator/class.html.validator.php',
241	'inc/clearbricks/image/class.image.meta.php',
242	'inc/clearbricks/image/class.image.tools.php',
243	'inc/clearbricks/mail/class.mail.php',
244	'inc/clearbricks/mail/class.socket.mail.php',
245	'inc/clearbricks/net/class.net.socket.php',
246	'inc/clearbricks/net.http/class.net.http.php',
247	'inc/clearbricks/net.http.feed/class.feed.parser.php',
248	'inc/clearbricks/net.http.feed/class.feed.reader.php',
249	'inc/clearbricks/net.xmlrpc/class.net.xmlrpc.php',
250	'inc/clearbricks/pager/class.pager.php',
251	'inc/clearbricks/rest/class.rest.php',
252	'inc/clearbricks/session.db/class.session.db.php',
253	'inc/clearbricks/template/class.template.php',
254	'inc/clearbricks/text.wiki2xhtml/class.wiki2xhtml.php',
255	'inc/clearbricks/url.handler/class.url.handler.php',
256	'inc/clearbricks/zip/class.unzip.php',
257	'inc/clearbricks/zip/class.zip.php',
258	'themes/default/tpl/.htaccess',
259	'themes/default/tpl/404.html',
260	'themes/default/tpl/archive.html',
261	'themes/default/tpl/archive_month.html',
262	'themes/default/tpl/category.html',
263	'themes/default/tpl/home.html',
264	'themes/default/tpl/post.html',
265	'themes/default/tpl/search.html',
266	'themes/default/tpl/tag.html',
267	'themes/default/tpl/tags.html',
268	'themes/default/tpl/user_head.html',
269	'themes/default/tpl/_flv_player.html',
270	'themes/default/tpl/_footer.html',
271	'themes/default/tpl/_head.html',
272	'themes/default/tpl/_mp3_player.html',
273	'themes/default/tpl/_top.html'
274	);
275	$remfolders = array(
276	'inc/clearbricks/common',
277	'inc/clearbricks/dblayer',
278	'inc/clearbricks/dbschema',
279	'inc/clearbricks/diff',
280	'inc/clearbricks/filemanager',
281	'inc/clearbricks/html.filter',
282	'inc/clearbricks/html.validator',
283	'inc/clearbricks/image',
284	'inc/clearbricks/mail',
285	'inc/clearbricks/net',
286	'inc/clearbricks/net.http',
287	'inc/clearbricks/net.http.feed',
288	'inc/clearbricks/net.xmlrpc',
289	'inc/clearbricks/pager',
290	'inc/clearbricks/rest',
291	'inc/clearbricks/session.db',
292	'inc/clearbricks/template',
293	'inc/clearbricks/text.wiki2xhtml',
294	'inc/clearbricks/url.handler',
295	'inc/clearbricks/zip',
296	'inc/clearbricks',
297	'themes/default/tpl'
298	);
299
300	foreach ($remfiles as $f) {
301	@unlink(DC_ROOT . '/' . $f);
302	}
303	foreach ($remfolders as $f) {
304	@rmdir(DC_ROOT . '/' . $f);
305	}
306	}
307
308	if (version_compare($version, '2.3.1', '<')) {
309	# Remove unecessary file
310	@unlink(DC_ROOT . '/' . 'inc/libs/clearbricks/.hgignore');
311	}
312
313	if (version_compare($version, '2.4.0', '<=')) {
314	# setup media_exclusion
315	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
316	"SET setting_value = '/\\.php\$/i' " .
317	"WHERE setting_id = 'media_exclusion' " .
318	"AND setting_value = '' ";
319	$core->con->execute($strReq);
320	}
321
322	if (version_compare($version, '2.5', '<=')) {
323	# Try to disable daInstaller plugin if it has been installed outside the default plugins directory
324	$path = explode(PATH_SEPARATOR, DC_PLUGINS_ROOT);
325	$default = path::real(dirname(__FILE__) . '/../../plugins/');
326	foreach ($path as $root) {
327	if (!is_dir($root) \|\| !is_readable($root)) {
328	continue;
329	}
330	if (substr($root, -1) != '/') {
331	$root .= '/';
332	}
333	if (($p = @dir($root)) === false) {
334	continue;
335	}
336	if (path::real($root) == $default) {
337	continue;
338	}
339	if (($d = @dir($root . 'daInstaller')) === false) {
340	continue;
341	}
342	$f = $root . '/daInstaller/_disabled';
343	if (!file_exists($f)) {
344	@file_put_contents($f, '');
345	}
346	}
347	}
348
349	if (version_compare($version, '2.5.1', '<=')) {
350	// Flash enhanced upload no longer needed
351	@unlink(DC_ROOT . '/' . 'inc/swf/swfupload.swf');
352	}
353
354	if (version_compare($version, '2.6', '<=')) {
355	// README has been replaced by README.md and CONTRIBUTING.md
356	@unlink(DC_ROOT . '/' . 'README');
357
358	// trackbacks are now merged into posts
359	@unlink(DC_ROOT . '/' . 'admin/trackbacks.php');
360
361	# daInstaller has been integrated to the core.
362	# Try to remove it
363	$path = explode(PATH_SEPARATOR, DC_PLUGINS_ROOT);
364	foreach ($path as $root) {
365	if (!is_dir($root) \|\| !is_readable($root)) {
366	continue;
367	}
368	if (substr($root, -1) != '/') {
369	$root .= '/';
370	}
371	if (($p = @dir($root)) === false) {
372	continue;
373	}
374	if (($d = @dir($root . 'daInstaller')) === false) {
375	continue;
376	}
377	files::deltree($root . '/daInstaller');
378	}
379
380	# Some settings change, prepare db queries
381	$strReqFormat = 'INSERT INTO ' . $core->prefix . 'setting';
382	$strReqFormat .= ' (setting_id,setting_ns,setting_value,setting_type,setting_label)';
383	$strReqFormat .= ' VALUES(\'%s\',\'system\',\'%s\',\'string\',\'%s\')';
384
385	$strReqSelect = 'SELECT count(1) FROM ' . $core->prefix . 'setting';
386	$strReqSelect .= ' WHERE setting_id = \'%s\'';
387	$strReqSelect .= ' AND setting_ns = \'system\'';
388	$strReqSelect .= ' AND blog_id IS NULL';
389
390	# Add date and time formats
391	$date_formats = array('%Y-%m-%d', '%m/%d/%Y', '%d/%m/%Y', '%Y/%m/%d', '%d.%m.%Y', '%b %e %Y', '%e %b %Y', '%Y %b %e',
392	'%a, %Y-%m-%d', '%a, %m/%d/%Y', '%a, %d/%m/%Y', '%a, %Y/%m/%d', '%B %e, %Y', '%e %B, %Y', '%Y, %B %e', '%e. %B %Y',
393	'%A, %B %e, %Y', '%A, %e %B, %Y', '%A, %Y, %B %e', '%A, %Y, %B %e', '%A, %e. %B %Y');
394	$time_formats = array('%H:%M', '%I:%M', '%l:%M', '%Hh%M', '%Ih%M', '%lh%M');
395	if (strtoupper(substr(PHP_OS, 0, 3)) == 'WIN') {
396	$date_formats = array_map(function ($f) {return str_replace('%e', '%#d', $f);}, $date_formats);
397	}
398
399	$rs = $core->con->select(sprintf($strReqSelect, 'date_formats'));
400	if ($rs->f(0) == 0) {
401	$strReq = sprintf($strReqFormat, 'date_formats', serialize($date_formats), 'Date formats examples');
402	$core->con->execute($strReq);
403	}
404	$rs = $core->con->select(sprintf($strReqSelect, 'time_formats'));
405	if ($rs->f(0) == 0) {
406	$strReq = sprintf($strReqFormat, 'time_formats', serialize($time_formats), 'Time formats examples');
407	$core->con->execute($strReq);
408	}
409
410	# Add repository URL for themes and plugins as daInstaller move to core
411	$rs = $core->con->select(sprintf($strReqSelect, 'store_plugin_url'));
412	if ($rs->f(0) == 0) {
413	$strReq = sprintf($strReqFormat, 'store_plugin_url', 'http://update.dotaddict.org/dc2/plugins.xml', 'Plugins XML feed location');
414	$core->con->execute($strReq);
415	}
416	$rs = $core->con->select(sprintf($strReqSelect, 'store_theme_url'));
417	if ($rs->f(0) == 0) {
418	$strReq = sprintf($strReqFormat, 'store_theme_url', 'http://update.dotaddict.org/dc2/themes.xml', 'Themes XML feed location');
419	$core->con->execute($strReq);
420	}
421	}
422
423	if (version_compare($version, '2.7', '<=')) {
424	# Some new settings should be initialized, prepare db queries
425	$strReqFormat = 'INSERT INTO ' . $core->prefix . 'setting';
426	$strReqFormat .= ' (setting_id,setting_ns,setting_value,setting_type,setting_label)';
427	$strReqFormat .= ' VALUES(\'%s\',\'system\',\'%s\',\'string\',\'%s\')';
428
429	$strReqCount = 'SELECT count(1) FROM ' . $core->prefix . 'setting';
430	$strReqCount .= ' WHERE setting_id = \'%s\'';
431	$strReqCount .= ' AND setting_ns = \'system\'';
432	$strReqCount .= ' AND blog_id IS NULL';
433
434	$strReqSelect = 'SELECT setting_value FROM ' . $core->prefix . 'setting';
435	$strReqSelect .= ' WHERE setting_id = \'%s\'';
436	$strReqSelect .= ' AND setting_ns = \'system\'';
437	$strReqSelect .= ' AND blog_id IS NULL';
438
439	# Add nb of posts for home (first page), copying nb of posts on every page
440	$rs = $core->con->select(sprintf($strReqCount, 'nb_post_for_home'));
441	if ($rs->f(0) == 0) {
442	$rs = $core->con->select(sprintf($strReqSelect, 'nb_post_per_page'));
443	$strReq = sprintf($strReqFormat, 'nb_post_for_home', $rs->f(0), 'Nb of posts on home (first page only)');
444	$core->con->execute($strReq);
445	}
446	}
447
448	if (version_compare($version, '2.8.1', '<=')) {
449	# switch from jQuery 1.11.1 to 1.11.2
450	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
451	" SET setting_value = '1.11.3' " .
452	" WHERE setting_id = 'jquery_version' " .
453	" AND setting_ns = 'system' " .
454	" AND setting_value = '1.11.1' ";
455	$core->con->execute($strReq);
456	# setup media_exclusion (cope with php, php5, php7, … rather than only .php)
457	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
458	" SET setting_value = '/\\.php[0-9]*\$/i' " .
459	" WHERE setting_id = 'media_exclusion' " .
460	" AND setting_ns = 'system' " .
461	" AND setting_value = '/\\.php\$/i' ";
462	$core->con->execute($strReq);
463	# Some new settings should be initialized, prepare db queries
464	$strReq = 'INSERT INTO ' . $core->prefix . 'setting' .
465	' (setting_id,setting_ns,setting_value,setting_type,setting_label)' .
466	' VALUES(\'%s\',\'system\',\'%s\',\'boolean\',\'%s\')';
467	$core->con->execute(sprintf($strReq, 'no_search', '0', 'Disable internal search system'));
468	}
469
470	if (version_compare($version, '2.8.2', '<=')) {
471	# Update flie exclusion upload regex
472	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
473	" SET setting_value = '/\\.(phps?\|pht(ml)?\|phl)[0-9]*\$/i' " .
474	" WHERE setting_id = 'media_exclusion' " .
475	" AND setting_ns = 'system' " .
476	" AND (setting_value = '/\\.php[0-9]*\$/i' " .
477	" OR setting_value = '/\\.php\$/i') ";
478	$core->con->execute($strReq);
479	}
480
481	if (version_compare($version, '2.9', '<=')) {
482	# Some new settings should be initialized, prepare db queries
483	$strReq = 'INSERT INTO ' . $core->prefix . 'setting' .
484	' (setting_id,setting_ns,setting_value,setting_type,setting_label)' .
485	' VALUES(\'%s\',\'system\',\'%s\',\'%s\',\'%s\')';
486	$core->con->execute(
487	sprintf($strReq, 'media_video_width', '400', 'integer', 'Media video insertion width'));
488	$core->con->execute(
489	sprintf($strReq, 'media_video_height', '300', 'integer', 'Media video insertion height'));
490	$core->con->execute(
491	sprintf($strReq, 'media_flash_fallback', '1', 'boolean', 'Flash player fallback for audio and video media'));
492
493	# Some settings and prefs should be moved from string to array
494	self::settings2array('system', 'date_formats');
495	self::settings2array('system', 'time_formats');
496	self::settings2array('antispam', 'antispam_filters');
497	self::settings2array('pings', 'pings_uris');
498	self::settings2array('system', 'simpleMenu');
499	self::prefs2array('dashboard', 'favorites');
500	}
501
502	if (version_compare($version, '2.9.1', '<=')) {
503	# Some settings and prefs should be moved from string to array
504	self::prefs2array('dashboard', 'favorites');
505	self::prefs2array('interface', 'media_last_dirs');
506
507	# Update flie exclusion upload regex
508	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
509	" SET setting_value = '/\\.(phps?\|pht(ml)?\|phl\|s?html?\|js)[0-9]*\$/i' " .
510	" WHERE setting_id = 'media_exclusion' " .
511	" AND setting_ns = 'system' " .
512	" AND (setting_value = '/\\.php[0-9]*\$/i' " .
513	" OR setting_value = '/\\.php\$/i') " .
514	" OR setting_value = '/\\.(phps?\|pht(ml)?\|phl)[0-9]*\$/i' ";
515	$core->con->execute($strReq);
516	}
517
518	if (version_compare($version, '2.10', '<')) {
519	@unlink(DC_ROOT . '/' . 'admin/js/jsUpload/vendor/jquery.ui.widget.js');
520	@rmdir(DC_ROOT . '/' . 'admin/js/jsUpload/vendor');
521
522	# Create new var directory and its .htaccess file
523	@files::makeDir(DC_VAR);
524	$f = DC_VAR . '/.htaccess';
525	if (!file_exists($f)) {
526	@file_put_contents($f, 'Require all denied' . "\n" . 'Deny from all' . "\n");
527	}
528
529	# Update flie exclusion upload regex
530	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
531	" SET setting_value = '/\\.(phps?\|pht(ml)?\|phl\|s?html?\|js\|htaccess)[0-9]*\$/i' " .
532	" WHERE setting_id = 'media_exclusion' " .
533	" AND setting_ns = 'system' " .
534	" AND (setting_value = '/\\.php[0-9]*\$/i' " .
535	" OR setting_value = '/\\.php\$/i') " .
536	" OR setting_value = '/\\.(phps?\|pht(ml)?\|phl)[0-9]*\$/i' " .
537	" OR setting_value = '/\\.(phps?\|pht(ml)?\|phl\|s?html?\|js)[0-9]*\$/i'";
538	$core->con->execute($strReq);
539
540	# Some new settings should be initialized, prepare db queries
541	$strReq = 'INSERT INTO ' . $core->prefix . 'setting' .
542	' (setting_id,setting_ns,setting_value,setting_type,setting_label)' .
543	' VALUES(\'%s\',\'system\',\'%s\',\'%s\',\'%s\')';
544	# Import feed control
545	$core->con->execute(
546	sprintf($strReq, 'import_feed_url_control', true, 'boolean', 'Control feed URL before import'));
547	$core->con->execute(
548	sprintf($strReq, 'import_feed_no_private_ip', true, 'boolean', 'Prevent import feed from private IP'));
549	$core->con->execute(
550	sprintf($strReq, 'import_feed_ip_regexp', '', 'string', 'Authorize import feed only from this IP regexp'));
551	$core->con->execute(
552	sprintf($strReq, 'import_feed_port_regexp', '/^(80\|443)$/', 'string', 'Authorize import feed only from this port regexp'));
553	# CSP directive (admin part)
554	$core->con->execute(
555	sprintf($strReq, 'csp_admin_on', true, 'boolean', 'Send CSP header (admin)'));
556	$core->con->execute(
557	sprintf($strReq, 'csp_admin_default', "''self''", 'string', 'CSP default-src directive'));
558	$core->con->execute(
559	sprintf($strReq, 'csp_admin_script', "''self'' ''unsafe-inline'' ''unsafe-eval''", 'string', 'CSP script-src directive'));
560	$core->con->execute(
561	sprintf($strReq, 'csp_admin_style', "''self'' ''unsafe-inline''", 'string', 'CSP style-src directive'));
562	$core->con->execute(
563	sprintf($strReq, 'csp_admin_img', "''self'' data: media.dotaddict.org", 'string', 'CSP img-src directive'));
564	}
565
566	if (version_compare($version, '2.11', '<')) {
567	// Remove the CSP report file from it's old place
568	@unlink(DC_ROOT . '/admin/csp_report.txt');
569
570	# Some new settings should be initialized, prepare db queries
571	$strReq = 'INSERT INTO ' . $core->prefix . 'setting' .
572	' (setting_id,setting_ns,setting_value,setting_type,setting_label)' .
573	' VALUES(\'%s\',\'system\',\'%s\',\'%s\',\'%s\')';
574	$core->con->execute(
575	sprintf($strReq, 'csp_admin_report_only', false, 'boolean', 'CSP Report only violations (admin)'));
576
577	// SQlite Clearbricks driver does not allow using single quote at beginning or end of a field value
578	// so we have to use neutral values (localhost and 127.0.0.1) for some CSP directives
579	$csp_prefix = $core->con->driver() == 'sqlite' ? 'localhost ' : ''; // Hack for SQlite Clearbricks driver
580	$csp_suffix = $core->con->driver() == 'sqlite' ? ' 127.0.0.1' : ''; // Hack for SQlite Clearbricks driver
581
582	# Try to fix some CSP directive wrongly stored for SQLite drivers
583	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
584	" SET setting_value = '" . $csp_prefix . "''self''" . $csp_suffix . "' " .
585	" WHERE setting_id = 'csp_admin_default' " .
586	" AND setting_ns = 'system' " .
587	" AND setting_value = 'self' ";
588	$core->con->execute($strReq);
589	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
590	" SET setting_value = '" . $csp_prefix . "''self'' ''unsafe-inline'' ''unsafe-eval''" . $csp_suffix . "' " .
591	" WHERE setting_id = 'csp_admin_script' " .
592	" AND setting_ns = 'system' " .
593	" AND setting_value = 'self'' ''unsafe-inline'' ''unsafe-eval' ";
594	$core->con->execute($strReq);
595	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
596	" SET setting_value = '" . $csp_prefix . "''self'' ''unsafe-inline''" . $csp_suffix . "' " .
597	" WHERE setting_id = 'csp_admin_style' " .
598	" AND setting_ns = 'system' " .
599	" AND setting_value = 'self'' ''unsafe-inline' ";
600	$core->con->execute($strReq);
601	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
602	" SET setting_value = '" . $csp_prefix . "''self'' data: media.dotaddict.org blob:' " .
603	" WHERE setting_id = 'csp_admin_img' " .
604	" AND setting_ns = 'system' " .
605	" AND setting_value = 'self'' data: media.dotaddict.org' ";
606	$core->con->execute($strReq);
607
608	# Update CSP img-src default directive
609	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
610	" SET setting_value = '" . $csp_prefix . "''self'' data: media.dotaddict.org blob:' " .
611	" WHERE setting_id = 'csp_admin_img' " .
612	" AND setting_ns = 'system' " .
613	" AND setting_value = '''self'' data: media.dotaddict.org' ";
614	$core->con->execute($strReq);
615
616	# Update first publication on published posts
617	$strReq = 'UPDATE ' . $core->prefix . 'post ' .
618	'SET post_firstpub = 1 ' .
619	'WHERE post_status = 1 ';
620	$core->con->execute($strReq);
621
622	# A bit of housecleaning for no longer needed files
623	$remfiles = array(
624	'admin/js/jquery/jquery.modal.js',
625	'admin/style/modal/close.png',
626	'admin/style/modal/loader.gif',
627	'admin/style/modal/modal.css',
628	'admin/js/dragsort-tablerows.js',
629	'admin/js/tool-man/cookies.js',
630	'admin/js/tool-man/coordinates.js',
631	'admin/js/tool-man/core.js',
632	'admin/js/tool-man/css.js',
633	'admin/js/tool-man/drag.js',
634	'admin/js/tool-man/dragsort.js',
635	'admin/js/tool-man/events.js',
636	'admin/js/ie7/IE7.js',
637	'admin/js/ie7/IE8.js',
638	'admin/js/ie7/IE9.js',
639	'admin/js/ie7/blank.gif',
640	'admin/js/ie7/ie7-hashchange.js',
641	'admin/js/ie7/ie7-recalc.js',
642	'admin/js/ie7/ie7-squish.js',
643	'admin/style/iesucks.css',
644	'plugins/tags/js/jquery.autocomplete.js',
645	'theme/ductile/ie.css'
646	);
647	$remfolders = array(
648	'admin/style/modal',
649	'admin/js/tool-man',
650	'admin/js/ie7'
651	);
652
653	foreach ($remfiles as $f) {
654	@unlink(DC_ROOT . '/' . $f);
655	}
656	foreach ($remfolders as $f) {
657	@rmdir(DC_ROOT . '/' . $f);
658	}
659	}
660
661	if (version_compare($version, '2.12', '<')) {
662	# switch from jQuery 2.2.0 to 2.2.4
663	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
664	" SET setting_value = '2.2.4' " .
665	" WHERE setting_id = 'jquery_version' " .
666	" AND setting_ns = 'system' " .
667	" AND setting_value = '2.2.0' ";
668	$core->con->execute($strReq);
669	}
670
671	if (version_compare($version, '2.12.2', '<')) {
672	// SQlite Clearbricks driver does not allow using single quote at beginning or end of a field value
673	// so we have to use neutral values (localhost and 127.0.0.1) for some CSP directives
674	$csp_prefix = $core->con->driver() == 'sqlite' ? 'localhost ' : ''; // Hack for SQlite Clearbricks driver
675
676	# Update CSP img-src default directive
677	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
678	" SET setting_value = '" . $csp_prefix . "''self'' data: http://media.dotaddict.org blob:' " .
679	" WHERE setting_id = 'csp_admin_img' " .
680	" AND setting_ns = 'system' " .
681	" AND setting_value = '" . $csp_prefix . "''self'' data: media.dotaddict.org blob:' ";
682	$core->con->execute($strReq);
683	}
684
685	if (version_compare($version, '2.14', '<')) {
686	// File not more needed
687	@unlink(DC_ROOT . '/' . 'admin/js/jquery/jquery.bgFade.js');
688	}
689
690	if (version_compare($version, '2.14.2', '<')) {
691	# Update flie exclusion upload regex
692	$strReq = 'UPDATE ' . $core->prefix . 'setting ' .
693	" SET setting_value = '/\\.(phps?\|pht(ml)?\|phl\|.?html?\|js\|htaccess)[0-9]*\$/i' " .
694	" WHERE setting_id = 'media_exclusion' " .
695	" AND setting_ns = 'system' " .
696	" AND (setting_value = '/\\.php[0-9]*\$/i' " .
697	" OR setting_value = '/\\.php\$/i') " .
698	" OR setting_value = '/\\.(phps?\|pht(ml)?\|phl)[0-9]*\$/i' " .
699	" OR setting_value = '/\\.(phps?\|pht(ml)?\|phl\|s?html?\|js)[0-9]*\$/i'" .
700	" OR setting_value = '/\\.(phps?\|pht(ml)?\|phl\|s?html?\|js\|htaccess)[0-9]*\$/i'";
701	$core->con->execute($strReq);
702	}
703
704	$core->setVersion('core', DC_VERSION);
705	$core->blogDefaults();
706
707	return $cleanup_sessions;
708	}
709
710	/**
711	* Convert old-fashion serialized array setting to new-fashion json encoded array
712	* @param $ns namespace
713	* @param $setting setting name (id)
714	*/
715	public static function settings2array($ns, $setting)
716	{
717	global $core;
718
719	$strReqSelect =
720	"SELECT setting_id,blog_id,setting_ns,setting_type,setting_value FROM " . $core->prefix . "setting " .
721	"WHERE setting_id = '%s' " .
722	"AND setting_ns = '%s' " .
723	"AND setting_type = 'string'";
724	$rs = $core->con->select(sprintf($strReqSelect, $setting, $ns));
725	while ($rs->fetch()) {
726	$value = @unserialize($rs->setting_value);
727	if (!$value) {
728	$value = array();
729	}
730	settype($value, 'array');
731	$value = json_encode($value);
732	$rs2 = "UPDATE " . $core->prefix . "setting " .
733	"SET setting_type='array', setting_value = '" . $core->con->escape($value) . "' " .
734	"WHERE setting_id='" . $core->con->escape($rs->setting_id) . "' " .
735	"AND setting_ns='" . $core->con->escape($rs->setting_ns) . "' ";
736	if ($rs->blog_id == '') {
737	$rs2 .= "AND blog_id IS null";
738	} else {
739	$rs2 .= "AND blog_id = '" . $core->con->escape($rs->blog_id) . "'";
740	}
741	$core->con->execute($rs2);
742	}
743	}
744
745	/**
746	* Convert old-fashion serialized array pref to new-fashion json encoded array
747	* @param $ws workspace
748	* @param $pref pref name (id)
749	*/
750	public static function prefs2array($ws, $pref)
751	{
752	global $core;
753
754	$strReqSelect =
755	"SELECT pref_id,user_id,pref_ws,pref_type,pref_value FROM " . $core->prefix . "pref " .
756	"WHERE pref_id = '%s' " .
757	"AND pref_ws = '%s' " .
758	"AND pref_type = 'string'";
759	$rs = $core->con->select(sprintf($strReqSelect, $pref, $ws));
760	while ($rs->fetch()) {
761	$value = @unserialize($rs->pref_value);
762	if (!$value) {
763	$value = array();
764	}
765	settype($value, 'array');
766	$value = json_encode($value);
767	$rs2 = "UPDATE " . $core->prefix . "pref " .
768	"SET pref_type='array', pref_value = '" . $core->con->escape($value) . "' " .
769	"WHERE pref_id='" . $core->con->escape($rs->pref_id) . "' " .
770	"AND pref_ws='" . $core->con->escape($rs->pref_ws) . "' ";
771	if ($rs->user_id == '') {
772	$rs2 .= "AND user_id IS null";
773	} else {
774	$rs2 .= "AND user_id = '" . $core->con->escape($rs->user_id) . "'";
775	}
776	$core->con->execute($rs2);
777	}
778	}
779	}

Note: See TracBrowser for help on using the repository browser.

Dotclear

Context Navigation

source: inc/dbschema/upgrade.php @ 3850:d4841d6d65d6

Download in other formats:

Sites map